ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Business process-based valuation of IT-security
Full text PdfPdf (146 KB)
Source ACM SIGSOFT Software Engineering Notes archive
Volume 30 ,  Issue 4  (July 2005) table of contents
SESSION: Economics-Driven Software Engineering Research (EDSER) table of contents
Pages: 1 - 5  
Year of Publication: 2005
ISSN:0163-5948
Also published in ...
Authors
Thomas Neubauer  Vienna University of Technology, Austria
Markus Klemen  Vienna University of Technology, Austria
Stefan Biffl  Vienna University of Technology, Austria
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 35,   Downloads (12 Months): 228,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1082983.1083099
What is a DOI?

ABSTRACT

Growing business integration raises the need for secure business processes as security problems can affect the profit and the reputation of a company. However, decisions regarding a reasonable level of security in a business environment are often made in a value-neutral way.This paper presents a framework for the valuation of cost-benefit of various security levels with business processes. The framework can be used for planning security levels in software development and allows further continuous monitoring and improvement of cost-benefit of security measures along with operative business processes.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Algirdas Avizienis , Jean-Claude Laprie , Brian Randell , Carl Landwehr, Basic Concepts and Taxonomy of Dependable and Secure Computing, IEEE Transactions on Dependable and Secure Computing, v.1 n.1, p.11-33, January 2004  [doi>10.1109/TDSC.2004.2]
 
2
BOC: www.boc-eu.com
3
Shawn A. Butler, Security attribute evaluation method: a cost-benefit approach, Proceedings of the 24th International Conference on Software Engineering, May 19-25, 2002, Orlando, Florida  [doi>10.1145/581339.581370]
 
4
Katherine Campbell , Lawrence A. Gordon , Martin P. Loeb , Lei Zhou, The economic cost of publicly announced information security breaches: empirical evidence from the stock market, Journal of Computer Security, v.11 n.3, p.431-448, 1 March 2003
 
5
Clarke, R. Computer matching by government agencies: The failure of cost/benefit analysis as a control mechanism. Information Infrastructure and Policy 4; 1995.
 
6
Cobit has been developed and is maintained by the Information Systems Audit and Control Association (IACSA) http://www.iacsa.org.
 
7
M. Ettredge , V. Richardson, Assessing the Risk in E-commerce, Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS'02)-Volume 7, p.194, January 07-10, 2002
 
8
Federal Information Processing Standards. Guideline for the Analysis of Local Area Network Security. National Institute of Standards and Technology, FIPS PUB 191, Nov. 1994.
 
9
Federal Office for Information Security (Germany) (BSI) http://www.bsi.de/english/index.htm.
 
10
IDS Scheer: www.ids-scheer.de
 
11
Kurrek, H.: SMM - Assessing a Company's IT-Security In: ERCIM News, 2002, Nr. 49.
 
12
Löffler, Helge; Markus Oman: IT-Survey 2004; KPMG Austria (Innsbruck-Linz).
13
Rebecca T. Mercuri, Analyzing security costs, Communications of the ACM, v.46 n.6, June 2003  [doi>10.1145/777313.777327]
 
14
G E Murine , Jr. C L Carpenter, Measuring computer system security using software security metrics, Proceedings of the 2nd IFIP international conference on Computer security: a global challenge, p.207-215, December 1984, Toronto, Ontario, Canada
 
15
National Institute of Standards and Technologies; 1979 FIPS publication (#65).
 
16
Hubert Osterle, Business in the Information Age: Heading for New Processes, Springer-Verlag New York, Inc., Secaucus, NJ, 1996
 
17
SooHoo, K., How Much is enough? A Risk-Management Approach to Computer Security. Consortium for Research on Information Security and Policy (CRISP), June 2000.
 
18
SSE-CMM (1998), The Model, v2.0, www.sse-cmm.org.
 
19
Stacey, T. R. (1996), Information security program maturity grid, Information Systems Security, Vol. 5 No. 2.
 
20
The ISO 17799 directory can be found at http://www.iso-17799.com.
 
21
Thompson M.: Benefit-Cost Analysis for Program Evaluation; Sage, 1980.

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)

Additional Classification:
  J. Computer Applications
  J.1 ADMINISTRATIVE DATA PROCESSING
      Subjects: Business


General Terms:
Documentation, Experimentation, Measurement, Performance, Security


Keywords:
business process management, valuation of secure business processes, value-based security

Collaborative Colleagues:
Thomas Neubauer: colleagues
Markus Klemen: colleagues
Stefan Biffl: colleagues
This Article has also been published in:

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player